Jan Steinman wrote:
Unfortunately, passwords are a problem. It appears to be some hash on the user name, since I tried copying and pasting the password data from one user to another, but the user for which I pasted it cannot log in with that password!
The hashes are salted to make it harder to bulk brute-force users' passwords if the hashes are leaked.
(You can turn off the salting to use a system where password hashes can be copied from user to user, but this is a) less secure and b) will invalidate all existing passwords, requiring them all to be reset. See settings in DefaultSettings.php)
Before I go crawling through the code, does anyone have any hints or alternatives by which I can bulk-enter password data for users to use?
The hashing algo is MD5(CONCAT(user_id,'-',MD5(password))).
Will the 'user_newpassword' field behave better for this sort of thing?
AFAIK it's hashed the same was as the main password.
-- brion vibber (brion @ pobox.com)